A malicious app running on your Mac could steal your cache of passwords, a teenage security researcher has found.
Calling his exploit KeySteal, Linus Henze demonstrated on YouTube how the attack would work. It takes advantage of a flaw in the code that runs a Mac’s internal stores of passwords, called keychains. As the malicious application works, it pulls up a list of passwords for apps that commonly interface with computers, like Facebook and Twitter.
Henze, who told Forbes he’s 18 years old and lives in Germany, didn’t immediately respond to a request for comment. Apple security researcher Patrick Wardle said he’s seen the exploit up close and can confirm it works. But to target you, hackers first have to get you to run malicious software on your Mac, which is a “high prerequisite,” Wardle said.
Still, the results would be very useful for any hacker who succeeded. Instead of maintaining an unauthorized presence on your computer with malware, they could simply get all of your login credentials and then delete the malicious program. Then they could log back into your accounts legitimately.
“All you need is the password,” Wardle said.
Apple didn’t immediately provide a comment for this story.
The exploit can access passwords in the “login” and “System” keychain, according to Tom’s Guide.
Henze told Forbes that he’s declining to give Apple details of his malicious code because the company doesn’t pay researchers when they find flaws that hackers can exploit. Wardle echoed that opinion, saying the best way for Apple to ensure that the highly sensitive keychain is secure would be to encourage security researchers to find flaws by paying them.
That doesn’t leave you totally vulnerable to this flaw, though. Hackers would still need to implant malicious software on your computer. And even though Henze has discussed the flaw publicly, he hasn’t told potential hackers all the steps they’d need to take to re-create his malicious app.
If you’re still concerned, you can manually lock your Mac’s keychains. To do that, you find the spotlight search bar by hitting command + space. Type in “keychain access” and select the program that comes up. Then in your top right screen, right click on the menu item that says “login.” Select “lock keychain login” from the drop down menu that appears.
The only problem? You’ll have to go back and manually unlock your keychain if you want to allow apps to access it. So for now, you should only consider this if you consider yourself a high value target for hackers.
Security: Stay up-to-date on the latest in breaches, hacks, fixes and all those cybersecurity issues that keep you up at night.
Blockchain Decoded: CNET looks at the tech powering bitcoin — and soon, too, a myriad services that will change your life.